As of Boomla v0.3.0, you can embed 3rd party plugins into your pages, like Youtube videos, Google Maps, Disqus comments, Google Analytics, etc.
Our solution is both safe and simple.
To enable Youtube videos, you have to
place a file named
.Trust (dot, uppercase!) into the file referencing the video,
with the contents
Coomit your changes. That’s it!
Same goes for other services, just use different domains. If you need to reference more domains, just put them on new lines.
The rest of this document is only for tech savvy people.
What you are editing via the
.Trust file is the
Content-Security-Policy HTTP header your website is returning in every request.
If you are familier with
Content-Security-Policy directives, you can specify directive values more specifically. For example, to enable loading Bootstrap from CDN, you could write
While it’s nice to be more specific, it often means you have to do more research on what a service needs, and you are going to enable everything it need anyway, so what’s the benefit of the extra work?
For that reason, you can instead just write
maxcdn.bootstrapcdn.com and Boomla will expand it for you with the proper syntax.
Note that you must commit your
.Trust file to take effect. Here is why. Assume your website is compromised and a hacker succeeds in placing a malicious script with a
.Trust file on your site. That script (virus) will not work so long you haven’t approved it. When commiting, you will be prompted about any additions to your
.Trust files. Thus, to hack your site, hackers will need your permission!
So, Boomla will only trust external vendors which are present in your latest commit. Note that if you have multiple Youtube videos, you will not need to commit every single
.Trust file. Having one commited is enough.
If you are writing or using a Boomla app that relies on 3rd party services, you can add the
.Trust file centrally to your app, so you won’t need to enable every single file of this file type. If you are to install the app, you will also need to commit the
Note that Boomla is not using a central file to enable Content-Security-Policy directives. This is crucial, because this way you will not need to do extra adminstrative work when installing or uninstalling apps, or removing a content that was trusting a 3rd party service provider. The trust will be removed with the content or the app.
Note that the
Content-Security-Policy HTTP header will only be populated according to
.Trust files that are relevant to the response. This means any files that were rendered on the page and any apps that were used for rendering them.